Linux in the Security Crosshairs

Moving the Target

December 15, 2003

By
Jim Wagner

Compared to Windows, Linux has enjoyed a reputation as a stable and secure operating systems, thanks in large part to an enthusiastic open source community that plugs holes before they create problems.

But Linux's growing popularity is attracting unwanted attention from virus writers, script kiddies, and other criminal elements. In response, Linux advocates are putting a new emphasis on security measures and working to reassure companies that the OS is ready for important business networks.

"There has been a lot of change in the attractiveness of Linux as a target," said Chad Dougherty, an Internet security analyst at the CERT Coordination Center, which tracks OS vulnerabilities. "If you look over time, there has been a consistent level of vulnerabilities."

In recent weeks, two high-profile breaches at popular Linux concerns bear this out. First, the Debian Project had to take their servers down to clean out a remote vulnerability breach. Then, machines at Gentoo were compromised.

In both cases, the perpetrator was able to "sniff" out a password on a developer's unprotected machine, log in and place a remote exploit tool in the kernel, giving them super-user access to the machines. Administrators corrected the problems before damage was done.

Other industry sources also note a rise in Linux attacks. At Zone-H.org, an Internet security site that tracks Web site defacements, the Linux OS platform accounted for 77 percent of the attacks reported, compared to 10.7 percent on Windows servers, Thursday afternoon.

With many large companies thinking of switching from pricey, proprietary software to a lower-cost alternative to Linux, advocates want to short-circuit any perception that the OS is less secure than previously thought.

For example, the Open Source Development Lab (OSDL) recently launched its Linux kernel awareness initiative, a program that explains how the open source technology is developed. The OSDL is the shepherd of the main Linux kernel developed by Linus Torvalds in 1991, who works there as the lead developer.

A critical part of the OSDL's push is the work in the security subsystem of Linux development. The Beaverton, Ore.-based organization, which is readying a new version of its kernel, has been making strides in improving the inherent security of it code.

Several security enhancements will go into this latest version of the Linux kernel: modularization, hardware random number generators and blocking a driver's ability to modify system call-tables. All three give system administrators more configurability options for their servers.

What most CTOs need to understand, said Stacey Quandt, principal analyst at the OSDL, is that most attacks happen when end-users don't protect their passwords, not from an inherent flaw in the kernel that lets attackers get in.

"At the level of the systems administrators, they need to be more careful with their passwords," Quandt said. "Security's easier to do in Linux than what you have in a Microsoft operating system, with some of the remote vulnerabilities that are possible in a Windows system, or at least the remote attacks that are successful."

Linux already has tools that allow admins take more control over the access users have on machines, called Linux Security Modules. The modules are billed as "a lightweight, general purpose framework for access control," and the authors stress the tool are only as good as the technicians administrating them.

Jay Beale, lead developer on the Bastille Linux project and a consultant at JJB Security Consulting & Training, said software will always have flaws, flaws that might one day turn into vulnerabilities.

"There's no real way to avoid the flaws--it's inherent in human endeavor," he said.

There are steps admins can take, however, Beale said, like reducing the complexity of a system, user training, and picking better passwords.

And like Windows, Linux is now suffering because system administrators are not installing security patches to known vulnerabilities or keeping better track of user access, Beale said.

[This article originally appeared at internetnews.com, a sister site to LinuxPlanet.]